[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: linux-authentication via openldap

To: Brian Johnson <bjohnson@jecinc.on.ca>
Subject: RE: linux-authentication via openldap
From: James Bourne <jbourne@MtRoyal.AB.CA>
Date: Fri, 18 Jan 2002 12:48:42 -0700 (MST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <000a01c1a02d$fab4a600$3700a8c0@jecinc.on.ca>
On Fri, 18 Jan 2002, Brian Johnson wrote:

> I am trying to use openldap with Red Hat 7.2 as well but am having trouble
> getting things configured properly
>
> Could you tell me the process you followed to get it to work?
>
> I wonder if I am having trouble with the user permissions on the default
> /var/lib/ldap directory (set to user ldap group ldap by default) but the
> manager in the default slapd.conf is not ldap - it's Manager

we have several servers pointed to LDAP auth (as well as web, mail, imap,
and applications).

On the servers there are some key things to do.

Under redhat 7.2:
o Install nss_ldap latest version from Red Hat and required openldap rpms
o Install and set to run nscd (chkconfig --level 345 nscd on ; service nscd
	start)
o run authconfig.  Set it to ldap for both user information and authentication
	o this will modify your /etc/pam.d/* files to use pam_ldap in
	system-auth, nssswitch.conf, and ldap.conf
o Edit ldap.conf to change variables to be set for your system esp:
-------
host YOURLDAPHOST.FQDN.TLD	# needed for tls to get FQDN on cert right
ssl start_tls	# if you use tls
tls_checkpeer no	#ditto
tls_ciphers TLSv1	#ditto
base YOURBASEDN such as o=ORG
ldap_version 3
binddn uid=AUSERTHATCANREADONLY,o=ORG
bindpw THATUSERSPASSWORD
port 389
bind_timelimit 10
timelimit 20
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=SYSTEMACL,ou=Groups,o=ORG
pam_member_attribute uniquemember
pam_password crypt
-------

The pam_groupdn is required to allow only those people in this group
(groupOfUniqueNames) to authenticate for login on this host.

Unless unauthenticated (anonymous bind) users can read the password field
(very bad) you need to use binddn and bindpw.  Time limits are optional.

The openldap-2.0.11 RPM is build for single server operation only (no
threading) which may or may not be a problem depending on the number of
queries you have.

You can edit nsswitch.conf to remove nis flags for fields, this will make
lookups fast.  Leave files in for password etc as this will give you a base
if LDAP is not working.  If it doesn't work, reboot (ctrl-alt-del) and boot
linux emergency at the lilo prompt.  it'll be the only way to get in if LDAP
is not working.

Regards
Jim
>
>
> Brian Johnson
> bjohnson@jecinc.on.ca <mailto:bjohnson@jecinc.on.ca>
> Johnson Engineering Consultants
> 368 Huron St., Stratford, Ont.
> Ph: 519-271-9923
> Fax: 519-271-5353
>
>
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David Vu
> Sent: Thursday, January 17, 2002 7:06 PM
> To: SteveSimeonidis@spherion.com
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: linux-authentication via openldap
>
>
> Looks like logging is enabled on the openldap server, turn it off in
> /etc/openldap/slapd.conf should help the speed.
>
> Cheers,
>
> David.
>
> : -----Original Message-----
> : From: owner-openldap-software@OpenLDAP.org
> : [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Steve
> : Simeonidis
> : Sent: Wednesday, January 16, 2002 1:35 AM
> : To: openldap-software@OpenLDAP.org
> : Subject: linux-authentication via openldap
> :
> :
> : I've converted the passwd/shadow entries to ldap format.
> : I can log on to the system but the following messages come
> : up every second
> : which slow down the system dramatically.
> :
> : changed /etc/nsswitch.conf (RedHat 7.2)
> :  passwd:     ldap
> : shadow:     ldap
> : group:      ldap files
> :
> : /etc/openldap/ldap.conf
> : HOST 127.0.0.1
> : BASE dc=spherion,dc=com
> : pam_crypt       local
> :
> : Do I have to make any other changes?
> :
> :
> : Jan 15 15:22:18 apollo slapd[957]: conn=28 op=539863 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:18 apollo slapd[957]: conn=28 op=539864 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixGroup)(gidNumber=500))"
> : Jan 15 15:22:18 apollo slapd[957]: conn=28 op=539864 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:18 apollo slapd[957]: conn=28 op=539865 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixAccount)(uidNumber=500))"
> : Jan 15 15:22:18 apollo slapd[957]: conn=28 op=539865 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539866 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixAccount)(uidNumber=500))"
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539866 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539867 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixGroup)(gidNumber=500))"
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539867 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539868 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixAccount)(uidNumber=500))"
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539868 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539869 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixGroup)(gidNumber=500))"
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539869 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539870 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixAccount)(uidNumber=500))"
> : Jan 15 15:22:19 apollo slapd[957]: conn=28 op=539870 SEARCH
> : RESULT tag=101
> : err=0 text=
> : Jan 15 15:22:20 apollo slapd[957]: conn=28 op=539871 SRCH
> : base="dc=spherion,dc=com" scope=2
> : filter="(&(objectClass=posixAccount)(uidNumber=0))"
> : Jan 15 15:22:20 apollo slapd[957]: conn=28 op=539871 SEARCH
> : RESULT tag=101
> : err=0 text=
> :
> :
> : Steve Simeonidis
> : Network Engineer, Spherion Education
> : Spherion Group Ltd
> :
> : 1st Floor, 493 St. Kilda Rd, Melbourne VIC 3004, Australia
> : Phone:  +61 3 9243 2382    Fax:    +61 3 9820 2010
> : Email: stevesimeonidis@spherion.com
> :
> :
> :
> :
>

-- 
James Bourne, Supervisor Data Centre Operations
Mount Royal College, Calgary, AB, CA
www.mtroyal.ab.ca

******************************************************************************
This communication is intended for the use of the recipient to which it is
addressed, and may contain confidential, personal, and or privileged
information. Please contact the sender immediately if you are not the
intended recipient of this communication, and do not copy, distribute, or
take action relying on it. Any communication received in error, or
subsequent reply, should be deleted or destroyed.
******************************************************************************
References:
- RE: linux-authentication via openldap
  - From: "Brian Johnson" <bjohnson@jecinc.on.ca>
Prev by Date: Re: ssl/tls with libpam-ldap and libnss-ldap debian packages
Next by Date: Addressbook setup
Index(es):
- Chronological
- Thread